Happy New Year to all Cyberclippers; goblins,elves, and well wishing penpushers !! The CURSE of the FROZEN DIALOGUE to all the Badfingers !!! ( Naturally, excluding those who may not have gotten the panhandle from their father !!)

Thankyou for the support thro' 2011. Hope you find something of value/interest in the new thread. The new INDEX thread will follow shortly.Please refrain from scoring on both threads.
Security is the mainstay of the thread with some related and varied topics.Scroll down for the latest posts !!
Note; that no entry/post should be taken as a personal recommendation, unless otherwise stated.
Please continue to keep CYBERCLIPS free of junk and unattractive to any contentious individuals..* Keep patching : up to date : be Cybersafe ! *

Microsoft patches dangerous web flaw in double time
Denial of service hole closed
By John E Dunn | Techworld | 31 December 11

Microsoft has issued an out-of-band fix for a vulnerability in its ASP.NET web platform that could allow an attacker to launch a successful DoS attack on a server using a nothing more sophisticated than a stream of 100kb files.

Although not yet being exploited in the wild, Microsoft decided the potential for trouble was sufficient to act in what will be its only standalone fix for the whole of 2011.

An attacker exploiting Security Advisory 2659883, rated critical, could exploit a weakness in the way ASP.NET and a number of other web applications including Java and PHP 5 generate hash tables from an HTTP POST request, eating a server CPU's entire resources for a period of time with a single file.

Normally, a denial of service attack with that level of success would require a botnet of thousands of hundreds of thousands of computers to make much headway on all but the most modestly-defended servers.

"An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers," Microsoft said this week in its advisory.

The flaw was only put into the public domain earlier this week at the Chaos Communication Congress in Berlin by researchers Alexander Klink and Julian Wlde, about a month after they informed Microsoft itself, which has garnered Microsoft some praise from researchers for a rapid response.

By Gregg Keizer
January 1, 2012
Computerworld - After a one-month pause, Microsoft's Internet Explorer (IE) resumed its usage share slide in December, dropping to a new low and setting the stage for a fall below 50% as early as March.

IE lost eight-tenths of a percentage point last month to end with a share of 51.9%, according to California-based metrics company Net Applications. IE dropped more than seven points during 2011.

In November, said Net Applications, IE held steady, the only month in the year when it did not lose share.

Google's Chrome benefited most from IE's decline, growing its share by nine-tenths of a percentage point to a record high of 19.1%. Chrome should crack the 20% mark either this month or in February.

As was its practice during much of 2011, Microsoft did not address the continued slide of IE, but instead pointed to IE9's performance on Windows 7, a combination the company has repeatedly said is the only metric that matters.

"Based on where the December data currently stands," said Roger Capriotti, the head of IE marketing, in a Dec. 30 blog, "we're pleased to say IE9 ... will soon take the top spot from IE8 on Windows 7, with usage share expected to come in at nearly 25.6% this month."

On Thursday, hackers released another batch of subscribers' data that was stolen during the Stratfor breach. Stratfor Global Intelligence is very popularly used research as well as analysis company the website of which fell prey to cyber attack a week ago.

The data which has been released has e-mail addresses along with credit card numbers reported c|net. The hacker group, reportedly a part of the Anonymous movement, actually disclosed the data with description on Pastebin. The website has links to the other website which has hosted the information.

The post in the Pastebin read, "It's time to dump the full 75,000 names, addresses, CCs and md5 hashed passwords to every customer that has ever paid Stratfor." The post further says that the case does not end here they are also providing 860,000 email addresses, usernames, and md5 hashed passwords. Incidentally, 50,000 mail addresses end with .mil or .gov domain names.

On Monday, George Friedman, Stratfor's CEO, mentioned on the Facebook page of the company that the intrusion which took place gave out names of few corporate subscribers and their credit card and personal data.

Users desert Windows XP in near-record numbers
Exodus accelerates over last four months as users move to Windows 7

By Gregg Keizer

Computerworld - Microsoft's Windows XP shed a large amount of usage share again last month as users continued to desert the decade-old operating system for Windows 7.

Windows XP lost 2.4 percentage points of share to post a December average of 46.5%, a new low for the aged OS in the tracking of Web metrics firm Net Applications. The month's fall nearly matched the record 2.5-point drop of October.

In the four months from September to December, XP jettisoned more than 11% of its share as of Sept. 1, falling by nearly six percentage points during the period.

The four months prior to that -- May through August -- XP lost only 3.4 points, or about 8.5% of the share it owned as of May 1.

Windows 7 has been the beneficiary of XP's decline, gaining 2.4 percentage points last month to reach 37%. In the same four months that XP lost 5.9 points, Windows 7 grew by 6.4 points, taking up the slack from not only Microsoft's oldest supported OS, but also the hapless Windows Vista.

The 'Hackerspace Global Grid' will include satellites in orbit, along with ground stations to track and communicate with them.
A group of hackers has announced plans to launch a satellite network in an effort to fight Internet censorship.

"According to BBC News, the plan was recently outlined at the Chaos Communication Congress in Berlin," writes Threatpost's Brian Prince. "Dubbed the 'Hackerspace Global Grid,' the project calls not only for the launching of satellites in orbit but also the development of a grid of ground stations to track and communicate with the satellites."

"Hacker activist Nick Farr reportedly first put out calls for people to contribute to the project in August in response to the threat of Internet censorship," Prince writes. "He cited the proposed Stop Online Piracy Act (SOPA) in the United States as a prime example."

Even more minimalist
By Chris Martin
Tue Jan 03 2012, 10:40
INTERNET SEARCH GIANT Google has started rolling out a new look interface for some users.
The redesign shifts the web page layout and how users can access the different parts of Google. The firm has replaced the previous horizontal black bar at the top with a grey logo, from which a drop down menu can be accessed.

Google announced the revamp a while ago and said, "We're now ready for the next stage of our redesign - a new Google bar that will enable you to navigate quickly between our services, as well as share the right stuff with the right people easily on Google+."
The list displays links to Google's other services such as Maps, Gmail, Google+ and News, each with its own icon. However, the first eight items listed also contains a link to Youtube, a non-Google branded service. A 'more' button then reveals additional content as usual.
It's more minimalist than before but actually there are more clicks required to get places. Google said the changes will make navigation and sharing "super simple".
The rollout is gradual so not everyone will see the new look yet, and only one member of The INQUIRER staff has it so far. µhttp://www.theinquirer.net/inquirer/news/2134822/g...

2011 was the year of the cyber criminal
Cyber crooks raided networks, pillaged data, and wreaked havoc in 2011, thanks to our persistently shoddy IT security practices

By Roger A. Grimes | InfoWorldFollow @rogeragrimes

In the world of IT security, 2011 was a great year -- for cyber criminals. One exception would be a certain Russian cyber crime ring pushing spam for meds. But outside of that global aberration, it's been a good year for the villainy of the Internet, in part thanks to end-users and organizations who have once again failed to take basic steps to protect themselves from attacks.

Few companies, if any, were patching in 2011, not even enough so to prevent the most common malware attacks. I've yet to visit a single company that has adequately patched Adobe Reader, Adobe Flash, or Java, all of show up on top 10 lists of the most exploited client-side software, month after month. Whenever people tell me they have high confidence in their great patching, I always check for those three products, and the customer is always -- I repeat, always -- unpatched. I've yet to find a client that had all their Internet-facing routers patched. Never. It's been 20 years.

Luckily for most cyber criminals, end-users still readily use the same password among most of their websites. Attackers were eagerly compromising the weakest websites to swipe credentials for breaking in to into the more secure, more popular websites. That phenomenon has driven some site operators to reset all user passwords. We're all sharing the same pool apparently.

After he gave HP around a month to patch up their vulnerabilities that affected some of their LaserJet printers, Ang Cui, the Columbia University researcher demonstrated his proof of concept at the 28C3 Chaos Communications Congress in Berlin, Germany.

In a one-hour demonstration, Cui explained how he managed to reverse-engineer the firmware update process on some HP LaserJet printers, allowing him not only to take over the printer, but also entire local area networks (LANs) to which the printer is connected to.

In his first demo, the researcher sent a maliciously crafted document to a printer, altering the system to make a copy of all the printed documents, posting them online to a certain IP address.

The second example proved that a printer could be compromised with a specially designed file, allowing an attacker to scan an entire LAN in search for vulnerable PCs that could be exploited.

Cui advises users to immediately update their printer’s firmware because, if cybercriminals manage to access the device first, they may program it so that it refuses other updates.

He also explained that the firmware update issued by HP to make sure that only signed firmware is accepted by the device only partly solves the problem.

By Gregg Keizer
January 5, 2012 04:13 PM ET
Computerworld - Microsoft today said it would deliver seven security updates next week -- tying the record for January -- to patch eight vulnerabilities in Windows and its developer tools.

But the company declined to confirm that the Jan. 10 slate will include a patch pulled at the last minute a month ago.

One of the seven updates was tagged "critical," the highest threat ranking in Microsoft's four-step system, while the others were marked "important," the second-highest rating, even though some of them could conceivably be exploited by attackers to plant malware on users' PCs.

Altogether, three of the updates were labeled as "remote code execution," meaning they could be used to hijack an unpatched system, Microsoft said in its monthly advance notification.

A twist to this month's Patch Tuesday is Microsoft's classification of one of the updates as "security feature bypass," a label it's never before applied.

"[Security feature bypass]-class issues in themselves can't be leveraged by an attacker," said Angela Gunn, a spokeswoman for the Microsoft Security Response Center, in a post to that group's blog today. "Rather, a would-be attacker would use them to facilitate use of another exploit."

Microsoft's 2012 kick-off features 7 security bulletins
By John Leyden

Posted in Developer, 6th January 2012 16:02 GMT

Microsoft plans to start 2012 with a surprisingly large Patch Tuesday that covers seven security bulletins which collectively address eight separate vulnerabilities. Previous January releases have normally featured only one or two bulletins.

The solitary critical bulletin in the batch fixes a remote code execution issue in Media Player. The remaining six "important" bulletins due next Tuesday handle the BEAST SSL issue and various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The "important" rather than critical status for the Beast SSL issue is at least debatable.

The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Microsoft has already published a workaround, which involves using the non-affected RC4 cipher in SSL installations. A patch was originally promised in December but delayed until this month due to problems uncovered during testing.

"Despite all of the hype over 'The Beast', attacks have simply never materialised and the issue has retained its 'important' classification from Microsoft," notes Paul Henry, a security and forensic analyst at Lumension.

Adobe and Oracle have both timetabled quarterly updates, on 10 January and 17 January, respectively in what promises to be a busy month for patching, Qualys adds.

Highlights:
Security fixes
Stability fixes
If you find new issues, please let us know by visiting our help site or filing a bug. You can also submit feedback using "Report an issue" under the wrench icon. Interested in switching to the Dev channel? Find out how.

Full details about what changes have been made in this release are available in the SVN revisions log. Interested in switching to another channel? Find out how. If you find a new issue, please let us know by filing a bug.

Beta Channel Update
| 12:00
Labels: Beta updates
The Chrome team is excited to announce the release of Chrome 17 to the Beta Channel. 17.0.963.26 contains a number of new features including:
New Extensions APIs
Updated Omnibox Prerendering
Download Scanning Protection
Many other small changes
More detailed updates are available on the Chrome Blog. Full details about what changes are in this release are available in the SVN revision log. Interested in chilling on the beta channel? Find out how. If you find a new issue, please let us know by filing a bug.

The Dev channel has been updated to 17.0.963.27 (Platform version: 1412.64) for Chromebooks (Acer AC700, Samsung Series 5 , and Cr-48).

Highlights:
Pepper flash: release 11.1.31.209
Stability improvements
File Browser improvements
If you find new issues, please let us know by visiting our help site or filing a bug. You can also submit feedback using "Report an issue" under the wrench icon. Interested in switching to the Dev channel? Find out how.

Orit Mazor
Google Chrome
0 comments | Links to this post | Email Post

Dev Channel Update
Wednesday, January 4, 2012 | 16:09
Labels: Dev updates
The Dev channel has been updated to 17.0.963.26 for all platforms except ChromeOS. This release contains the following updates:

Full details about what changes are in this release are available in the SVN revision log. Interested in switching to a different release channel? Find out how. If you find a new issue, please let us know by filing a bug.

Refresh or reset a PC
By Dave Neal
Thu Jan 05 2012, 12:43
SOFTWARE HOUSE Microsoft has detailed the options that will be available to recover a crashed PC running Windows 8.
Users will be offered two alternatives when presented with a Windows crash, with options to either refresh or reset their lost machine.
The changes are detailed in a blog post from the firm where the refresh option was described as a way of retaining some work while restoring core OS functions. The other is a full face wipe.
"We've built two new features in Windows 8 that can help you get your PCs back to a 'good state' when they're not working their best, or back to the 'factory state' when you're about to give them to someone else or decommission them," explains Microsoft's Steven Sinofsky in the introductory blog post

Pooled storage shores up resources
By Dave Neal
Fri Jan 06 2012, 13:55
SOFTWARE CHURN FACTORY Microsoft has revealed how it plans to improve storage performance in Windows 8.
The feature called Storage Spaces is described by the firm in a blog post, and will use physical storage in a much more virtual way by creating pools using USB, SATA, or Serial Attached SCSI (SAS) disks that can be expanded with the addition of more hardware. Although it is not designed to replace Windows Home Server Drive Extender technology wholesale, it does perform some of its main tasks and will fill a gap for users.
Virtual disks known here as spaces will have thin provisioning features that could turn 4TB of space into 10TB, as well as resiliency to failures of physical media, the firm explained. Microsoft's Steven Sinofsky, who told us yesterday about the reset and refresh options in Windows 8, introduces the features.
"With thin provisioning, you can augment physical capacity within the pool on an as-needed basis. As you copy more files and approach the limit of available physical capacity within the pool, Storage Spaces will pop up a notification telling you that you need to add more capacity," Microsoft writes.
"You can do so very simply by purchasing additional disks and adding them to your existing pool. Once we have added this physical capacity, we don't need to do anything more to consume it. We can simply keep copying files or other data to the space within the pool and this space will automatically grow to utilize all available capacity within the containing pool, subject to its maximum logical size of 10TB."

Tomorrow, Microsoft will push to its customers a new software update as part of its monthly schedule, and will have a number of seven bulletins included in the release.

The Microsoft Security Bulletin Advance Notification for January 2012 that was issued today offers some info on tomorrow’s update, though the complete details on it will not be published until tomorrow.

Out of the said 7 bulletins, one is rated Critical. The security issue it patches could allow for Remote Code Execution, Microsoft explains.

The bulletin is targeted at Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, though it is rated Important for the last two OS flavors.

The issue was found on both x32 and x64 versions of these platforms and affects machines that have Service Pack 2 upgrades installed on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, or Service Pack 1 installed on Windows 7 and Windows Server 2008 R2.

Five bulletins are rated Important, though they are not affecting all of the aforementioned versions of Windows. The seventh bulletin is aimed at Microsoft Developer Tools and Software, and is rated Important.

The Microsoft Security Bulletin Advance Notification for January 2012 also explains that not all of the said five Important bulletins are meant for all of the aforementioned Windows flavors.

Two of these could allow Remote Code Execution on affected platforms. Others refer to Security Feature Bypass, Elevation of Privilege, and Information Disclosure, Microsoft explains.

The January security update will be automatically delivered to all affected Windows Platforms via the automatic update process, as soon as users have it activated on their computers.

Only two weeks ago, Microsoft had to issue an out-of-band update for a series of its products to resolve a publicly disclosed vulnerability in .NET Framework, along with some privately signaled security issues in Windows and other products.

Last Thursday, Google updated Chrome 16 with a security update that quashed three bugs, all rated "high," the company's second-most-dire threat rating.

Two of the bugs warranted bounties of $1,000 each, including one to a developer who works for rival Mozilla, maker of Firefox. Google, like Mozilla, pays outside investigators for bugs they report: Last year, Google wrote checks totaling $180,000 to bug hunters.

Also last week, Google released the first beta of the next edition in its line, Chrome 17.

According to Google engineer Dominic Hamon, Chrome 17 expands on the anti-malware download warnings that were first added to Chrome's code in April 2011 and appeared in the stable channel of the browser in June 2011's Chrome 12.

"Chrome now includes expanded functionality to analyze executable files -- such as '.exe' and .msi' files -- that you download," said Hamon in a blog post. "If a file you download is known to be bad, or is hosted on a website that hosts a relatively high percentage of malicious downloads, Chrome will warn you that the file appears to be malicious and that you should discard it."

Oracle's latest Java moves frustrate users and vendors
The company is under fire for modularization, licensing, and security issues

By Paul Krill
January 10, 2012 06:24 AM ET
InfoWorld - Oracle, which officially took on the big job of shepherding Java two years ago this month, is traveling bumpy roads lately, with its modularization and licensing plans for Java raising eyebrows and security concerns coming to the fore as well.

Plans for version 8 of Java Platform Standard Edition, which is due next year, call for inclusion of Project Jigsaw to add modular capabilities to Java. But some organizations are concerned with how Oracle's plans might conflict with the OSGi module system already geared to Java. In the licensing arena, Canonical, the maker of Ubuntu Linux, says Oracle is no longer letting Linux distributors redistribute Oracle's own commercial Java, causing difficulties for the company. Meanwhile, security vendor F-Secure views Java as security hindrance. (Oracle declined to discuss these issues with InfoWorld.)

New efforts in 2012 could make the open source browser even more secure.

By Sean Michael Kerner

The year 2012 will likely be a milestone for Mozilla's Firefox web browser, as the open source group aims to further accelerate web innovation. Among the ways that Mozilla plans on improving Firefox in 2012 is by way of a number of efforts that could make the browser more secure for a greater number of users.

Mozilla makes incremental security updates with each release -- such as the recent Firefox 9 update, which patched several security vulnerabilities. The open source browser vendor also works on making the overall platform more secure, which will be the core focus in 2012.

"Longer term, a lot of the work that we do around core technologies factors in security primitives," Johnathan Nightingale, Director of Firefox Engineering at Mozilla told InternetNews.com. (The term "security primitives" refers to the building blocks used to provide security services in the software application.)

As an example, Nightingale noted that Mozilla configured support for WebGL as a way to address security concerns with cross-domain texture loading. He explained that with WebGL the idea was to utilize a protocol-based solution that can shut down an entire class of vulnerabilities.

More recently, Mozilla has been working on JIT hardening to mitigate against JIT spraying attacks. The JIT (Just-In-Time) compiler in JavaScript is a common attack vector in modern browser attacks.

"The reality is that the way our JIT engine is built makes it somewhat resilient to JIT Spraying attacks," Nightingale said. "But there is still work we can do on that class of vulnerability to just get it out of the realm of even the theoretical -- and that work is ongoing."

Another approach to browser security, which has already been adopted by Google Chrome, is known as "process sandboxing." With process sandboxing, the idea is to isolate processes in order to reduce the potential risk and attack surface for a given browser process or operation.

"Sandboxing has some real benefits, but it's not a silver bullet," Nightingale said. "It is something that our platform team is looking at really closely."

HP has quietly patched a serious security vulnerability that had left its LaserJet printers open to attack by net villains.

The security bug, first discovered by researchers at Columbia University, created a means for miscreants to install malware on vulnerable devices simply by uploading new firmware to them over a network or tricking users into printing a specially constructed document that installs a malicious firmware update.

The flaw, which stemmed from a failure to ensure firmware updates are digitally signed, could allow hackers to extract files previously printed or scanned by compromised devices, or launch attacks from hacked gear against more sensitive machines from within a corporate network.

Some reports at the time speculated that the same vulnerability could even be used to turn compromised printers into firebombs, although built-in thermal controls are not affected by firmware updates (malicious of otherwise) and ought to prevent this.

HP quietly snuck out a fix for affected printers on 23 December, two days before Christmas, as part of a low-key update. A list of affected devices can be found on HP's website here.

Researchers at Columbia University demonstrated the flaw at the Chaos Computing Congress (28c3) hacker conference in Berlin late last month - a YouTube video is here. ®

The discovery of a highly sophisticated malware network is leading some security firms to reshape their view of cyber crime operations.
Known as Shnakule, the operation employs a massive network of servers to attack sites as well as compromised pages to exploit vulnerabilities and infect users' computers.

Shnakule spans a number of attack vectors and is believed to have been used for multiple attacks, with active servers ranging from hundreds to thousands of systems at a time.
Steve Schoenfeld, vice president of product management and product marketing at Blue Coat, told V3 that his firm has been tracking the Shnakule operation for a number of months through its WebPlus security networks.
He said the company's findings defy conventional knowledge of how malware and cyber crime operations work.
Attacks that had previously appeared to be isolated events, are now believed to be the work of various systems operating within the cyber crime network. Blue Coat estimates that such networks will be responsible for as much as two-thirds of all attacks in 2012.

Firefox 10 b4 is now available for download. And it looks like this build is also very close to entering the release candidate stage and then become the new stable release, as development stages have already been marked towards this end.

Code freezing for Firefox 10 is scheduled for January 20, while the release candidate build is planned three days later, on January 23. Concluding the code for this version of the browser is also pinned in the calendar, for January 25, so that that the days until migrating the code to stable (January 31) can be used for further testing.

As far as features are concerned, default add-on compatibility is targeted to be delivered with Firefox 10. However, a decision on shipping add-ons compatible by default and the configuration settings has not been reached yet; this will be established in the release candidate stage.

Microsoft is moving forth with the development of its next flavor of Windows, codenamed Windows 8, but has yet to confirm a specific availability date for the platform.

Recent reports around the Internet suggest that the release timeframe for this OS might have been set for October.

Windows 7 was launched in October, three years ago, and Microsoft might be determined to celebrate its anniversary with the release of a new platform version.

This week at the 2012 International Consumer Electronics Show, Janelle Poole, director of public relations of the Windows Business Group, suggested that fall could indeed be the release timeframe for Windows 8, Pocket-lint reports.

"We haven't talked about the release date and we generally don't. We are talking milestone to milestone, so for us right now we're talking about the next milestone being the consumer preview happening in late February,” Janelle Poole reportedly stated.

"One of the things that I think is a good guideline though is we've always said that Windows releases come round about every three years and this year will be three years in October since we launched Windows 7. So I think that's a good guideline to consider."

It has been long rumored that Windows 8 will be completed by mid-2012, and that manufacturers will receive it around that time.

Microsoft is to offer a real-time intelligence feed of botnet and e-crime data to public and private sector subscribers, according to security company Kaspersky.

Data from networks of compromised computers will be among the information on offer to ISPs, CERTs, government agencies and private companies, Kaspersky said in a blog post on Wednesday. The data will be tailored to customer needs, the security company said.

"Microsoft collects the data by leveraging its huge internet infrastructure, including a load-balanced, 80Gb/second global network, to swallow botnets whole — pointing botnet infected hosts to addresses that Microsoft controls, capturing their activity and effectively taking them offline," said Kaspersky.

Data sources open to Microsoft include information from the Kelihos, Waldec, and Rustock botnets, said Kaspersky. Microsoft Digital Crimes Unit (MDCU) is in the process of beta testing the intelligence system, a 70-node cluster running the Apache Hadoop framework on top of Windows Server.

A number of organisations, including the UK government, have called for greater data-sharing to combat e-crime.

Microsoft had not responded to a request for comment at the time of writing.

World Economic Forum puts cyber attacks in top five biggest global risks for 2012
by Phil Muncaster

Cyber attacks are one of the top five global risks likely to impact the planet over the coming year, according to the latest annual report from the World Economic Forum (WEF).
The international organisation interviewed more than 460 experts from industry, government, academia and civil society to compile its seventh Global Risks report.

The proof-of-concept exploit was published last Friday on GitHub, a site that hosts software projects, and has been used in the past by hackers to distribute their work.

Other security experts were not surprised that attack code appeared within days of Microsoft rushing out a patch for a denial-of-service vulnerability in its software.

"No, not surprising at all," Andrew Storms, director of security operations at nCircle Security, said in an interview Tuesday. "There was enough interest [in the researchers' original presentation] that we should have expected exploit code soon."

The presentation Storms referred to was made by German researchers Alexander Klink and Julian Walde on Dec. 28 at the CCC (Chaos Communication Congress) conference in Berlin, where they demonstrated a flaw in the Web's most popular application and site programming languages, including Microsoft's ASP .Net, the open-source PHP and Ruby, Oracle's Java, and Google's V8 JavaScript.

According to Klink and Walde, attackers could cripple Web servers by conducting denial-of-service attacks using a single off-the-shelf PC and a low-bandwidth connection to the Internet.

In a security advisory issued the same day, Microsoft promised to patch the vulnerability in ASP .Net, then followed that on Dec. 29 with its first "out-of-band" update of 2011.

On Jan. 6, someone identified as "HybrisDisaster" published the attack code on GitHub.

The interval between the Klink-Walde presentation and the appearance of attack code was just nine days, and eight days after Microsoft released its emergency patch.

Chrome Updates
Beta Channel Update
Wednesday, January 11, 2012 | 16:00
Labels: Beta updates
The Beta channel has been updated to 17.0.963.33 for all platforms other than Chrome OS. This update fixes a number of stability and UI issues. Full details about what changes are in this build are available in the SVN revision log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Popups opened from a maximized window should now be unmaximized (Issue: 106967)
Hide panels in presence of full screen app for windows. (Issue: 102731)
Provide windows notification of thread termination (Issues: 107974, 103209)
Abort in-flight load tasks if the DB has been closed. (Issue: 106722)
Linux
Native Client applications should now work on Linux systems where /dev/shm is mounted with the “noexec” option, such as Gentoo (r113228).
Fixed issue where Google Chrome does not start on RHEL 6 and derivative Linux distributions. (r116534)
Full details about what changes are in this build are available in the SVN revision log.
Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Oracle to issue 78 patches, including 27 for MySQL
Other fixes are set for Oracle's database, middleware and applications

By Chris Kanaracus
January 13, 2012 11:46 AM
IDG News Service - Oracle is set on Tuesday to release 78 security fixes for vulnerabilities in its database, middleware and applications, according to a preview announcement posted to the company's website this week.

A full 27 of those are targeted for the MySQL database. One of the vulnerabilities can be exploited over a network without log-in credentials. The highest CVSS (Common Vulnerability Scoring System) Base Score among the MySQL bugs is 5.5, which falls into the system's "medium" risk range.

Two other fixes are for Oracle's database, and Oracle is also planning to ship 11 patches for Fusion Middleware. Five of the bugs in the latter can be remotely exploited with no user authentication required.

On the application front, the company's E-Business Suite is getting three patches, its supply chain application suite will receive one, PeopleSoft will get six, and JD Edwards will have eight.

Some 17 patches will be released for Sun products, including six that can be remotely exploited with no credentials. Affected products include GlassFish Enterprise Server and the Solaris OS.

Another three patches are for Oracle's virtualization technology, including VirtualBox

Social news site Reddit will black out its site for 12 hours on Jan. 18 to protest the controversial Stop Online Piracy Act SOPA bill that is currently working its way through the U.S. House of Representatives.

Wikipedia co-founder Jimmy Wale said that his firm may also conduct a protest blackout, though it remains unclear whether the site will join Reddit.

In a blog post earlier this week, Reddit team members said they have decided to black out the site next Wednesday from 8 a.m. to 8 p.m. EST in a bid to draw attention to SOPA.

"Instead of the normal glorious, user-curated chaos of reddit, we will be displaying a simple message about how the PIPA/SOPA legislation would shut down sites like reddit," the blog noted. PIPA, is an acronym for the Protect IPA Act, a U.S. Senate version of SOPA

SEARCH ENGINE ALSO-RAN Microsoft has finally managed to surpass Yahoo's US search engine market share.
According to figures released by Comscore, Microsoft's Bing search engine has overtaken Yahoo with 15.1 per cent of the US web search market. The manoeuvre came as Yahoo experienced a 0.6 per cent drop in market share between November 2011 and December 2011.
Microsoft has put considerable research and marketing behind Bing to compete with internet search leader Google, yet has been unable to make a significant dent in Google's market share. Microsoft also signed a deal with Yahoo that saw Bing powering the web portal's search results.
Despite Microsoft's efforts to push Bing, Google still remains the pre-eminent internet search provider by quite some distance.

Security experts came across a large number of websites infected with Trojans, exploit kits and other malicious elements that redirect users to well-known malware distribution points.

Avast Virus Lab identified 60 different websites in the past 30 days, all of them being heavily infected. This is especially dangerous since most of the sites are designed for children who are more likely to click on anything that pops up on the screen.

A child’s online behavior increases the chances for a piece of malware to end up on the machine, potentially endangering all the sensitive information that’s stored on it.

“Games like these require clicking and children don’t think much about what they are clicking on. This makes them – or their parents’ computer – quite susceptible to malware.” said Ondrej Vlcek, CTO of AVAST Software.

“If there is something dangerous, a child will find it. But, moving between sites is normal behavior for most people – regardless of age.”

One of the more popular websites identified as being harmful is cutearcade.com, a collection of colorful games that mainly addresses youths. This particular site has been reported 12,600 times as being infected by customers who rely on Avast products to secure their devices.

The Trojan it hosts redirects visitors to linuxstabs.com, a domain known for distributing all sorts of malware.

Microsoft’s Trustworthy Computing initiative is now 10 years old, and the Redmond-based company is proud of this achievement.

The Trustworthy Computing (TwC) Initiative was aimed at ensuring that all users were able to have a secure, private, and reliable experience when on their computers.

The move was announced ten years ago in an email that Bill Gates sent to all employees, and which also defined some of the key aspects of Trustworthy Computing.

“The impetus for Bill’s email was a growing recognition of the role of computing in society, as well as our responsibilities as an industry leader,” Craig Mundie, Microsoft chief research and strategy officer, explains in a memo sent to the company’s employees.

“Today, information and communications technology (ICT) underpins every aspect of our personal and professional lives. While it is indisputable that ICT has transformed for the better how we live, society still confronts some long-standing and evolving challenges.”

Security is of great importance when the electrical power grid is involved, as well as when it comes to financial and telecommunications systems. Privacy must be protected too, Mundie explains, adding that Microsoft also has to ensure that its products and services remain reliable.

“As the world continues to change, this TwC milestone provides an opportunity to reflect on the past and prepare for the future. Our internal and external work over the past ten years has unquestionably raised the bar in software quality, and demonstrated our commitment to building trustworthy products,” he continues.

Windows 8 on ARM: You can look but you can't touch
Windows 8 was shown on a few ARM-based devices at CES, but Microsoft doesn't want people playing with it before it's ready

By James Niccolai

IDG News Service - For a touch-based interface it was awfully hard to get hold of. Microsoft's Windows 8 OS was shown on a handful of prototype ARM-based tablets at the Consumer Electronics Show this week, but almost no one was allowed to try it out.

Nvidia had three Windows 8 tablets in its booth but they were all behind glass. Texas Instruments showed a Windows 8 tablet in a meeting room off the show floor, but a reporter who asked to try it was told that wasn't permitted. Qualcomm, the third vendor of ARM-based chips working with Windows 8, wasn't showing it at all.

Representatives from all three companies said Microsoft has placed tight limits on how they can show Windows on ARM. It's apparently taking no chances that people might have a bad experience with the software before it's ready for release, which could harm its reputation.

"I think they're being a little measured because they want to make sure that when people finally see these things that it's a good experience. They have to get it right," Mike Rayfield, general manager of Nvidia's mobile business unit, said in an interview.

January 14th, 2012, 07:52 GMT · By Eduard KovacsFileDen Works on Securing User Data After Breach

A couple of days ago we’ve learned how the file hosting and online storage site FileDen was breached by a hacker called xdev@b4lc4nh4ck who managed to leak 4,500 customer account details. The website is currently down for maintenance and its administrators are working on securing user data.

Right after I learned of the hacking operation, I contacted FileDen to see if they’re aware of the breach and to find out if they’re doing anything to secure their customers' assets.

A Security Operations team member responded to my inquiry and revealed that a hacker got past their security protocol and gained access to usernames, passwords and email addresses right as they were preparing to migrate their clients’ files to a more secure platform.

“Once the possible security breach was discovered we took immediate action to protect our users data. At no time did the hacker have access to credit card or other financial data, nor is that data stored on our site,” FileDen’s Jason said.

Currently, they’re in the process of notifying users of the security breach advising them to take immediate measures to protect their accounts.

FileDEN customers are recommended to reset their accounts with a strong password, preferably a combination of characters, numbers and symbols, both in lower and uppercase.

Judging by the leaked data, the hackers obtained only the MD5 hashes of the passwords, but these hashes are really easy to decrypt, especially if the passwords that hide behind them are something like “123456”.

“It is an unfortunate reality that in the world in which we live there are those who seek to harm, therefore we want our users to know we are committed to the security and integrity of their data and we will be in touch with them constantly as new information becomes available,” Jason concludes.

The body that polices Internet registrations will on Thursday launch a domain name "revolution" in the face of the concerns of global bodies ranging from the United Nations to the US Congress.

The Red Cross and International Olympic Committee have already secured exclusions from the new sector that would allow company, organization and city names to rival .com as Internet addresses.
The head of the Zulus in southern Africa and a wealthy Middle East family have already expressed an interest in being part of what Rod Beckstrom, president of the Internet Corporation for Assigned Names and Numbers (ICANN), has called a "new domain name system revolution".
The new generic top level domains (GTLDs) would allow Internet names such as .Apple or .IMF or .Paris instead of .com or .org.
ICANN says the huge expansion of the Internet, with two billion users around the world, half of them in Asia, requires the new names.
But the International Monetary Fund was among more than 25 global bodies which sent a letter to ICANN last month expressing concern about the possible "misleading registration and use" of their names.
The US Association of National Advertisers and non-profit groups such as the Young Men's Christian Association, YMCA, criticized the plan at a US Congress hearing last month.
They fear it could cause confusion about their Internet presence and force them to spend huge amounts on "defensive registration" to stop cybersquatters, who buy up names and try to sell them at an inflated price, and fraudsters.
Registration will cost $185,000 with a $25,000 annual fee after that.

Anyone hoping that AMD would manage to make Bulldozer chips much faster on Windows 7 systems may want to give up on that lofty wish.

AMD has just posted a blog announcing the availability of a scheduler update for the Windows 7 operating system.

The hotfix was developed by Microsoft, based on the Windows 8 scheduler code.

Unfortunately, the performance benefits only amount to 1-2% on average, not to the 10% that AMD claims to have seen during initial testing of Windows 8.

Also, not every application got a performance boost in AMD's tests, especially the heavily-threaded ones which use all 8 cores of the AMD FX-8150.

This is explainable by the fact that such programs are “already maxing out the processor.”

“Our testing shows that not every application realizes a performance boost. In fact, heavily threaded apps (those designed to use all 8 cores), get little or no uplift from this hotfix – they are already maxing out the processor. In other cases, the uplift averages out to a 1-2 percent uplift,” says Adam Kozak, a product marketing manager at AMD.

This news may turn out to be somewhat disappointing after the events of December, 2011.

It was quickly taken down and, about a day later, AMD actually expressed surprise at the event, explaining that there were, in fact, working on two patches, but neither of them were ready.

Though it probably didn't please the Sunnyvale, California-based company that it had to disclose information prematurely, it ended up revealing that the two-piece hotfix would be ready by the first quarter of 2012.

The boost isn't spectacular, but it is free, so there shouldn't be any reason not to get it.

NOTE: If the hotfix is available for download, there is a "Hotfix download available" section at the top of the support page. If the section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Non-U.S. customers kept in dark as Zappos cleans up after data breach
Online clothing shop Zappos.com reset the passwords of over 24 million customers after security breach

By Lucian Constantin
January 16, 2012 07:13 AM ET
IDG News Service - Online shoe and apparel shop Zappos.com is advising over 24 million customers to change their passwords following a data breach, but its website is currently inaccessible to people outside the U.S.

Zappos employees received an email from CEO Tony Hsieh on Sunday, alerting them about a security breach that involved the online shop's customer database.

"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation," Hsieh said in the email.

Critical update includes scores of fixes
By Chris Martin
Mon Jan 16 2012, 14:10
ENTERPRISE VENDOR Oracle is gearing up to release a critical update tomorrow.
The firm explained that its critical update is a collection of patches to fix a number of security vulnerabilities. This is its first of the year and includes fixes for no less than 78 flaws across its full range of products.
Oracle said, "While this pre-release announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory."
Oracle admitted that 16 of the vulnerabilities could be exploited remotely over a network without the need for authentication with a user name and password. This includes one vulnerability associated with Oracle's database server.
With cyber attacks being all the rage at the moment, Oracle has warned customers to install the updates as soon as possible to minimise risks.
The software that will get the most fixes is Mysql Executive Summary, which has 27 to its name. However, the package with the highest common vulnerability scoring system (CVSS) 2.0 base score for vulnerabilities is the Sun Products Suite Executive with a score of 7.8, containing 17 fixes.
The lowest CVSS 2.0 score is 3.7 for Oracle Virtualization Executive, which will get fixes for three vulnerabilities.
Wolfgang Kandek, CTO of security firm Qualys said, "Only Peoplesoft and the virtualization products are not affected by this critical rating - everybody else should pay close attention to the release next Tuesday." µ

That was the day Microsoft finally woke up, smelled the hackers, and began getting serious about security. Gates wrote:

In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. ...If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first.

Of course it's one thing to write a memo, another thing to make it real. The notoriously insecure Internet Explorer didn't stop being a hacker's plaything until the release of IE8 in 2009. During that time frame, Microsoft went from owning 90-plus percent of the browser market to less than 50 percent today. A lot of that had to do with IE's notorious vulnerabilities and poor performance.

An India based hacking outfit has reportedly managed to lay its hands on the source code of Symantec's Norton security software, and is threatening now to publish it online.

Apparently the hacker collective, dubbed "The Lords of Dharmaraja", not only stole the source code of Norton, but also managed to get away with other confidential documentation belonging to Symantec - the maker of Norton.

The outfit has already published some of the stolen information on the Web - a considerable proportion of which seems to be several years old, though.

Also, it is not known yet whether or not the group actually managed to breach Syamtec's network and steal the Norton source code. The company says it is investigating the claims made by "The Lords of Dharmaraja".

It’s not uncommon to come across phishing emails that point to pages perfectly replicating the legitimate site of the company whose name is involved in the scam. Security experts have found a couple of phishing campaigns that rely on Google Docs to make them look more genuine.

One of the malicious emails targets ANZ Bank customers and because ANZ is one of the largest financial institutions in Australia, many recipients may tend to trust the notification.

“ANZ Bank has a strict policy to ensure that all our customer online banking details are secure and updated regularly,” reads part of the phony email provided by Sophos’ Naked Security blog.

“This is done for your own protection because some of our clients no longer have access to their online banking service due to fraudulent activities suspected by the bank management.”

The link found in the email points to a Google Docs form which requires the victim to provide sensitive information, including full name, email address, customer registration number and password.

Cybercriminals rely on this tactic because this way they don’t have to worry about finding a good free host. With the functions provided by the Google Docs interface, the crooks can design a great interface, automatically generate emails to lure victims, and all the collected data is stored in a spreadsheet that can later be easily accessed.

Posted in Enterprise Security, 17th January 2012 10:18 GMT
Foglight NMS from Quest Software, monitor and manage up to 100 network devices for FREE
Video games purveyor GAME says it has not been hacked after reports yesterday claimed that the retail biz had suffered a security breach.

A list what purported to be 200 email addresses and unprotected clear text passwords from GAME were posted on Pastebin, sparking widely reported hacking fears on Monday.

However, after checking the leaked data, GAME said the information was bogus and issued a statement saying that it had no evidence of any breach to its database security

The latest scam post that circulates on social networking websites claims that WhatsApp Messenger’s providers are planning to set a fee for using their app, urging readers to send messages to friends in order to become a so-called “frequent user.”

“Hallo everybody. WhatsApp is going to cost us money soon. The only way that it will stay free is if you are a frequent user i.e. you have at least 10 people you are chatting with.

“To become a frequent user send this message to 10 people who receive it (2 ticks) and your WhatsApp logo should turn Red to indicate a frequent user,” reads the hoax provided by Hoax Slayer.

A number of versions are hitting social media sites, all of them falsely reporting that the cross-platform mobile messaging app will no longer be free of charge.

These types of hoax messages aren’t doing anyone any good and users can be certain that they’re not helping if they spam their friends.

Firefox 9, which Mozilla released Dec. 20, has yet to be completely "unthrottled," or offered as an update to all users, according to notes from a company meeting last week.

Like other software vendors, including Microsoft and Apple, Mozilla can offer upgrades to a fraction of its users rather than to everyone at once. The practice is designed to ensure that download servers aren't overwhelmed, and to prevent bugs -- if there are any in the update -- from reaching all users.

Coming to all Windows versions eventually
By Lawrence Latif
Tue Jan 17 2012,
SOFTWARE REDEVELOPER Microsoft has revealed details about its upcoming Resilient File System (ReFS), which will make its debut with Windows 8 Server.
Microsoft's ReFS will eventually become the file system for all its Windows variants, replacing NTFS, but will make its first appearance on Windows 8 Server. Surendra Verma, a development manager on Microsoft's storage and file system team, said ReFS will maintain "a high degree of compatibility with a subset of NTFS features that are widely adopted while deprecating others".
Verma went on to claim that ReFS will be optimised for scaling and maintaining data integrity but said that parts of the NTFS codebase will be reused. Verma said, "Underneath this reused portion, the NTFS version of the code-base uses a newly architected engine that implements on-disk structures such as the Master File Table to represent files and directories. ReFS combines this reused code with a brand-new engine, where a significant portion of the innovation behind ReFS lies."

Researchers from Zero Day Initiative (ZDI) have found a critical vulnerability in McAfee’s Security-as-a-Service (SaaS) products. Even though McAfee has been notified on the issue since April 2011, the company failed to provide a patch and ZDI disclosed the information in accordance with their 180-day deadline.

An attacker can execute arbitrary code by exploiting the flaw, but only if he manages to convince the potential victim to visit a malicious page or open a specially crafted file. Unfortunately, from previous experience, we know that the task is not difficult to accomplish.

“The specific flaws exists within myCIOScn.dll. MyCioScan.Scan.ShowReport() will accept commands that are passed to a function that simply executes them without authentication. This can be leveraged by a malicious attacker to execute arbitrary code within the context of the browser,” reads ZDI’s report.

The issue has been rated with a CVSS score of 9 out of a maximum of 10 which means that the weakness is highly severe.

While McAfee didn't provide a patch, ZDI recommends a workaround to mitigate the threat. They recommend users to set the killbit to disable scripting within Internet Explorer by modifying a registry value.

After admitting that the Indian hacker called YamaTough managed to obtain the source code for Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2, the company came forward with another statement to say that the source code for some of their Norton products was leaked as a result of a hacking operation that targeted their systems in 2006.

According to SecurityWeek, the security solutions provider reports that since the breach took place their security has been upgraded, but didn’t provide other clarifications.

“Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006,” Symantec’s Cris Paden said.

“Due to the age of the exposed source code, except as specifically noted below, Symantec customers - including those running Norton products -- should not be in any increased danger of cyber attacks resulting from this incident,” Paden added.

Computerworld - In a remarkable example of a grassroots campaign gone viral, several websites including Google, Reddit, Wikipedia, BoingBoing, Imgur and Tucows, are planning an unprecedented Internet "strike" Wednesday to protest controversial anti-piracy legislation being considered by Congress.

Many of the sites plan to go completely dark on Jan 18 to show opposition to the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA). Google will not go dark, but plans to note its opposition by sticking a protest link on its home page.

"Like many businesses, entrepreneurs and web users, we oppose these bills because there are smart, targeted ways to shut down foreign rogue websites without asking American companies to censor the Internet," Google said in a statement. "So tomorrow we will be joining many other tech companies to highlight this issue on our US home page."

According to Fight for the Future, one of the groups organizing the protests, nearly 12,000 websites have said they will join the blackout. That number is still growing.

Dev Channel Update
Tuesday, January 17, 2012 | 18:14
Labels: Dev updates
The Dev channel has been updated to 18.0.1010.1 for Windows and Chrome Frame; 18.0.1010.0 for Mac and Linux. This build contains the following updates:

All
The PDF plugin now adds ‘Rotate Clockwise’ and ‘Rotate Counterclockwise’ commands to context menus, so users can more easily view documents scanned horizontally.
Updated the first-run bubble text and added a link to change the current search engine. (Issue: 117521)
Fixed HTML5 showing download bar in fullscreen mode. (Issue: 99673)
Mac
Fixed issue where Cmd-W would close the whole window in fullscreen mode. (Issue: 109793)
Fixed best-fit-window-zoom. (Issue: 104170)
Full details about what changes are in this build are available in the SVN revision log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

IDG News Service - Vulnerability research firm Secunia announced that, effective from the beginning of the year, software vendors will have a six-month deadline to fix vulnerabilities reported through its Vulnerability Coordination Reward Programme (SVCRP).

Secunia's previous deadline had been established in 2003 and was one year. The decision to reduce it came after studying the history of the company's vulnerability coordination efforts.

The new deadline is similar to what other security firms currently enforce. For example, Hewlett-Packard subsidiary TippingPoint, which runs the well known Zero Day Initiative (ZDI) program, has had a six-month deadline for fixing vulnerabilities reported to vendors since the beginning of last year.

Victims must pay $25 to get back into stalkerbase
By John Leyden •
Free whitepaper – Rackspace’s Knowledge of Hosted Virtual Desktop
A new strain of cybercrime Trojan is targeting Facebook users by taking over their machines and shaking them down for cash.

Carberp, like its predecessors ZeuS and SpyEye, infects machines by tricking punters into opening PDFs and Excel documents loaded with malicious code, or attacks computers in drive-by downloads. The hidden malware is designed to steal account information, and harvest credentials for email and social-networking sites.

A new configuration of the Carberp Trojan targets Facebook users to ultimately steal e-cash vouchers. Previous malware attacks on Facebook have been designed purely to slurp login info, so this latest skirmish, spotted by transaction security firm Trusteer, can be considered something of an escalation.

The Carberp variant replaces any Facebook page the user navigates to with a fake page notifying the victim that their Facebook account is temporarily locked. Effectively holding Facebook users hostage, the page asks the mark for their first name, last name, email, date of birth, password and a Ukash 20 euro ($25) voucher number to verify their identity and unlock the account.

The Apache Software developers released an advisory, recommending customers to update their Apache Tomcat software to protect themselves against potential hash denial of service (DOS) attacks.

“Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values,” reads the advisory.

“These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service.”

In the latest releases, the issue was addressed by changing the parameter handling code to process large number of parameters and their values more efficiently.

Users who rely on Tomcat versions between 7.0.0 and 7.0.22, the ones that utilize Tomcat 6.0.33 and earlier variants, and customers of Tomcat 5.5.34 and prior are advised to immediately update to the latest versions that mitigate the threat.

We'll take this opportunity to remind everyone that starting with September 30, 2012, the company will no longer offer support for Apache Tomcat 5.5.x.

Expert: Bank Transactions Can Be Manipulated Even if OTP Devices Are Used

Security experts show that a virus can take full control over an Internet Explorer browser and manipulate bank transactions in real-time even if the bank’s customer that’s about to perform the task relies on an OTP (one time password) device.

Yash K.S., chief technology officer at Red Force Labs, released a proof of concept video to show how a cleverly designed virus can be used in a Man-in-the-Browser (MitB) attack that targets HSBC Bank transactions.

The point of the video is not to encourage illegal activities, so no code or details of the virus are released, instead the aim is to raise awareness on the security issues that affect online banking systems, even if sophisticated anti-fraud mechanisms are utilized.

The Wikipedia encyclopedia and blogging service WordPress are among the highest profile pages to remove material.

Google is showing solidarity by placing a black box over its logo when US-based users visit its site.

The Motion Picture Association of America has branded the action as "irresponsible" and a "stunt".

Visitors to Wikipedia's English-language site are greeted by a dark page with white text that says: "Imagine a world without free knowledge... The US Congress is considering legislation that could fatally damage the free and open internet. For 24 hours, to raise awareness, we are blacking out Wikipedia."

It provides a link to more details about the House of Representatives' Stop Online Piracy Act (Sopa) and the Senate's Protect Intellectual Property Act (Pipa).

Wanting to aid the battle against online banking fraud, SafeNet released a new eToken authentication device that financial services organizations can utilize to make eBanking applications and transactions more secure.

By using an optical sensor to read transaction data from the browser, SafeNet eToken 3500 generates a unique electronic signature that validates the process to make sure the transaction cannot be manipulated with Man-in-the-Browser (MitB) or Man-in-the-Middle (MitM) attacks.

Chrome Beta Channel Release
Wednesday, January 18, 2012 | 16:30
Labels: Beta updates
The Beta channel has been updated to 17.0.963.38 for all platforms other than Chrome OS. This update fixes a number of stability and UI issues. Full details about what changes are in this build are available in the SVN revision log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

A researcher from IOActive Labs presents an interesting issue that affects some Windows 7 or Windows 2008 installer files which could allow an attacker to elevate his own privileges and compromise the operating system.

Cesar Cerrudo reveals that the C:\Windows\Installer\ folder contains installer files from previously installed applications and even if the file names are random, once they’re executed, if they’re installers from Microsoft applications, they automatically escalate privileges and begin to install.

While in theory there shouldn’t be any problem, during the installation process a .dll file is loaded by the OSs msiexec.exe process with elevated privileges.

This may be considered a vulnerability since if the dll is replaced with a specially–crafted file, an attacker could obtain elevated privileges and execute his own piece of code.

However, before executing the dll file, msiexec.exe generates an MD5 hash and compares it to a known MD5 hash read from a file contained in the folder that stores the installers.

This means that in order to successfully exploit the weakness, an attacker would need to replace the dll file with one that contains exploit code that could match the valid hash.

January 19,
Imperva researchers are warning of a problem with the way double quotes are encoded by Internet Explorer that can allow hackers to conduct cross-site scripting (XSS) attacks.

"Imperva argues that because most browsers automatically encode special characters in URLs, some Web developers might be inclined to process request URLs in the source code of their websites without making sure that they are properly sanitized," writes ITworld's Lucian Constantin. "A hacker who identifies such a website can craft a link to it that contains a double quote followed by malicious JavaScript code."

"Imperva claims to have notified Microsoft about the issue, but was told by the software company that this behavior is not considered a vulnerability and will not be fixed in a security update," Constantin writes. "The behavior might, however, get changed in a future IE version, Microsoft allegedly said."

At the end of 2011, security researcher Stefan Viehbock informed the United States Computer Emergency Readiness Team (US-CERT) of a major design flaw that existed in the latest wireless routers that incorporate the WiFi Protected Setup (WPS).

Now, Neowin provides a detailed explanation that shows how an 8-digit PIN can be guessed in less than a day.

WPS can be found in most commercial routers sold over the past few years, which means that a large number of individuals may be affected by the vulnerability present in the system that was designed to secure users in the first place.

Whenever someone tries to connect to a router that supports WPS, they are requested to provide an 8-digit PIN found on the back of the device.

While normally it would take someone more than 60 years to guess the PIN, especially since most routers go into a lock-down state for one minute if three wrong codes are entered, the recently discovered flaw allows for someone to guess it in around a day.

This is possible because the system is designed to split the 8 digits into 2 sets of 4, and if the first set is entered correctly, the router indicates this, giving the potential crook more chances of uncovering the password.

However, there are some ways in which users can protect themselves. The easiest way to secure a device is by updating its firmware to the latest variant offered by the vendor or by using a third party firmware such as Tomato or DD-WRT.

Another way to secure a router is by disabling WPS using the web interface. In order to test if the WPS is actually disabled, users can use another computer to connect to the network and if they’re prompted for the WPA key, they’re safe.

Give us your keys to look after, we're lovely
By John Leyden • Get more from this author

Posted in ID, 20th January 2012 13:33 GMT

Mozilla is promoting a browser-based alternative to usernames and passwords for website logins.

Browser ID offers a decentralized system for user identification and authentication along the same lines as OpenID. To use BrowserID users first have to create an account with Mozilla. After this users would be able to use the technology to enter websites that support BrowserID simply by entering their email address.

Developers can add support to the technology by adding links to a JavaScript library and hooks into a JavaScript API and verification service, as explained in a blog post by Mozilla here.

The technology competes with OpenID, which is already used by prominent sites such as Twitter and Facebook. Mozilla is pushing BrowserID as a more secure and privacy-sensitive method than its competitors

A flaw currently present in Internet Explorer (IE) could be exploited by hackers and used to launch cross-site scripting (XSS) attacks, due to the way double quotes (“) are encoded by the web browser.

IMPERVA researchers found the vulnerability and contacted Microsoft, but the Redmond company doesn’t see it as a security vulnerability.

“The behavior you are describing is something that we are aware of and are evaluating for changes in future versions of IE, however it's not something that we consider to be a security vulnerability that will be addressed in a security update,” said a Microsoft representative regarding the issue.

On the other hand IMPERVA experts reveal that XSSed, a website that publicly discloses XSS vulnerabilities, reported a number of attacks that only affect IE users due to this encoding bug.

So what is this bug exactly?

Because IE doesn’t encode double quote characters in the query part of the uniform resource identifier (URI), websites that support the browser may assume that it's properly encoded and embed the URI in the request “as is” in the HTML response.

But since they’re not properly encoded, this may break the site’s structure and allow a hacker to launch an XSS attack.

RFC 3986, the Internet standard that defines the URI syntax, states that characters such as the double quote should be “pct-encoded”, a policy that's implemented in other web browsers such as Chrome or Firefox.

Internet Explorer only encodes the problematic character in the path part or the URI and not the query section. Considering that many websites are designed in a way to let the browser do the encoding, the HTML may be broken and used by the hacker to launch what is called a reflected XSS attack by convincing the victim to click on a malicious link.

Known issues:
25144 - External storage devices fail to automount. Workaround: Login using Guest mode and automount of the device will work.
Machines shipped with R11 and earlier versions may encounter problems with users being able to login to the machine. This may also occur after the user changes their password. Workaround: You may recover either from erasing the stateful partition or performing a machine recovery. Instructions can be found here.
If you find new issues, please let us know by visiting our help site or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue’ under the wrench menu.

DreamHost, a company that hosts more than a million domains, is notifying customers that hackers may have obtained unauthorized access to some of their passwords, advising them to change their FTP/shell access passwords, but also their email passwords.

“Our security systems detected the potential breach this morning and we immediately took the defensive precaution of expiring and resetting all FTP/shell access passwords for all DreamHost customers and their users,” reads the letter sent to customers.

DreamHost clients have three types of passwords: a web panel password, used for logging into the administration panel, email passwords, and FTP/shell access passwords. The firm states that only FTP/shell passwords appear to have been compromised, but as a precaution email passwords should be reset as well.

Account holders are also warned that phishing emails may target them as a result of a data breach.

Firefox Beta Tests Add-on Hotfix Feature Starting with Firefox 10, Mozilla will start delivering hotfixes for its web browser, via an add-on, in order to have fewer full updates pushed to users.

Firefox beta users are the first testers of the feature, as Mozilla pushes today an automatically downloaded test add-on. The component is visible in the Add-ons Manager as “Mozilla Firefox hotfix” and will not affect the way the browser acts.

In the following week the add-on should be removed, also automatically. The reason for this action is to gather metrics about the functionality of the feature.

The intended purpose of the “add-on hotfix” feature is not to ship new features or replace the need for software updates. The reasons for choosing this solution are fast delivery of tweaks and fixing issues that can be eliminated without the need to download a new build of the browser.

Fake Megaupload sites pose a security risk
Some sites that could be phishing operations claim to be the relaunched Megaupload

By Nancy Gohring | IDG News Service

The people behind Megaupload might be working hard to get the site back up, but so are scammers.

Sites were popping up on Friday claiming to be the reincarnation of Megaupload, the popular website taken down by U.S. federal authorities on Thursday. But most of the imitators so far look like phishing sites, said Don Bowman, CTO for Sandvine, an Internet traffic equipment vendor.

One site has only an IP address for its locator, rather than a website name people can remember, but claims to be the location for the new Megaupload. "We are working to be back full again," the site says.

It's unlikely, however, that a site as popular as Megaupload would use only an IP address. For one thing, everyone visiting the site would be hitting the same server. Before it was shut down, Megaupload accounted for nearly 1 percent of traffic in North America, putting it in league with Facebook, Bowman said.

The research team, which included Reid Wightman, Dillon Beresford, Jacob Kitchel, Rubén Santamarta and two other researchers who chose to remain anonymous, worked as part of a project called Basecamp that was sponsored by industrial control systems (ICS) security firm Digital Bond.

The tested products were Control Microsystems' SCADAPack, the General Electric D20ME, the Koyo / Direct LOGIC H4-ES, Rockwell Automation's ControlLogix and MicroLogix, the Schneider Electric Modicon Quantum and Schweitzer's SEL-2032.

The affected vendors were not notified in advance about the discovered vulnerabilities and the proof-of-concept exploits showcased at S4 are being integrated into the popular Metasploit penetration testing framework.

"We are hoping that Project Basecamp will be a Firesheep moment for PLC's [programmable logic controllers]," said Reid Wightman, a Digital Bond security consultant and Basecamp project lead.

The Firesheep extension for Firefox, which can hijacking people's online accounts when they use open wireless networks, is credited with pushing major online service providers like Google, Facebook, Twitter and Hotmail to add support for persistent HTTPS connections.

Project Basecamp hopes to trigger a similar reaction from SCADA (supervisory control and data acquisition) software developers, whose products have largely been overlooked by the security research community until the Stuxnet industrial sabotage worm emerged in 2010.

A beta version of Malwarebytes Anti-Malware has been released, aiming at fixing several issues, some of which of significant importance.

The problems solved in Malwarebytes Anti-Malware 1.60.1 beta include a bug that caused freezes in certain third-party security alternatives, on Windows XP. Another issue fixed in this build prevented the ignore list from reloading after updating the database.

Ignore list related issues are not limited to the aforementioned one. The development team also took care of a bug that would crash mbamcore.dll when certain malformed ignore list data was involved.

In some cases, upon certain upgrade installations the desktop icon would no longer be created. This should no longer be the case in the current beta version of the application.

Some problems touch on certain language files: Dutch, Belarusian, and Korean. On the same note, the new build adds Greek language file.

Google kills more services
Picnik, Google Message Continuity, Needlebase and others are on the chopping block this time

By Nancy Gohring

IDG News Service - Google is continuing to weed out its services and on Friday announced it will shut down Picnik, Google Message Continuity and Needlebase and make changes to some other services.

Google acquired Seattle-based Picnik in 2010, saying it would integrate the photo editing service with its own Picasa. "We're retiring the service on April 19, 2012, so the Picnik team can continue creating photo-editing magic across Google products," Dave Girouard, vice president of product management for Google, wrote in a blog post Friday.

The company is also discontinuing Google Message Continuity, its service for backing up Microsoft Exchange emails. Since launch, "hundreds" of businesses have signed up for the service, but it's clear many more are interested in Google Apps, Girouard wrote. "Going forward, we've decided to focus our efforts on Google Apps and end support for GMC," he wrote.

Google will shut down Needlebase, a data management platform, on June 1, and the Social Graph API, which isn't being widely used, on April 20.

Google also will stop offering a client-hosted version of Urchin, an online analytics product on which the company built Google Analytics. It will instead focus on the online offering of Analytics.

Firms face tougher data-protection rules in Europe
By Steven Musil
Companies will be required to disclose security breaches within 24 hours of their occurrence under European Union proposals being made this week to strengthen data-protection rules.

New rules are needed to protect consumers and reduce bureaucracy, EU justice commissioner Viviane Reding said in a speech at a conference on Sunday in Munich.

"Companies that suffer a data leak must inform the data-protection authorities and the individuals concerned, and they must do so without undue delay," Bloomberg quoted Reding as saying at the DLD conference. "European data-protection rules will become a trademark people recognise and trust worldwide."

Notorious black hats that hacked thousands of websites in their lifetime gather gigabytes of information stolen from their victims, much of which is never published online. Phantom~, one of the members of TeaMp0isoN, decided to clean up his hard drive and publish tons of data he collected as a result of breaching sites.

Usernames, passwords and other sensitive information belonging to members and administrators of around 7,000 websites are contained in the data leak, posted on Pastebin in multiple parts.

We found Phantom on an IRC channel and contacted him to find out why he published all the data after all this time.

“Cleaning my PC, I worked on them, so it’s not for nothing. People can test their skills on them and [expletive],” said Phantom~.

The list of victims includes book stores, website developers, mobile phone stores and other, mostly commercial, websites from all around the world.

Full details about what changes have been made in this release are available in the SVN revisions log. Interested in switching to another channel? Find out how. If you find a new issue, please let us know by filing a bug.

By Gregg Keizer
January 24, 2012 02:33 PM ET
Computerworld - Google yesterday patched four vulnerabilities in Chrome, and disclosed that it had patched a fifth two weeks ago.

The refresh of Chrome 16 was the second security-related update for the browser this month.

One of the five bugs Google said had been quashed was actually a leftover from the Jan. 9 update. According to a blog post by Anthony Laforge, a Chrome program manager, that flaw was actually patched two weeks ago, but "[was] accidentally excluded from the release notes" at the time.

The vulnerability was the most serious of the five, rating a "critical" ranking, Google's top threat label.
According to the bug-tracking materials for Chromium, the open-source project that feeds code into Chrome, the critical bug caused the browser to crash when users saw Chrome's anti-malicious site warning and then refreshed the page.

The HP-sponsored hacking challenge revises its rules in an effort to expose even more vulnerabilities.

By Sean Michael Kerner | January 23, 2012

Over the last several years, the Pwn2Own hacking challenge has become known as the place where browsers get hacked, sometimes within just a matter of minutes. This year, the event's organizers at HP TippingPoint's Zero Day Initiative (ZDI) are looking to project a more serious demeanor and downplay the sensational nature of the contest -- even as they change the rules in an effort to demonstrate a record number of exploited security vulnerabilities.

"In the past, due to the way the competition was architected, we had lots of sensationalist headlines, things like 'Mac hacked in three seconds'," said Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint, in a conversation with InternetNews.com. "We don't think that type of sensationalism was representative of all the research that was going on."

In previous years, researchers would go on stage to demonstrate a vulnerability, sometimes in under a minute. At the 2011 event, Apple Safari and Microsoft's IE were hacked on the first day. At the event two years prior, Safari was hacked in under two minutes.

Four months after taking down the Kelihos botnet, Microsoft on Monday identified the man it believes was behind the massive infection designed to deliver spam and steal data.

In an amended complaint (PDF) filed with the US District Court for the Eastern District of Virginia, the software giant accused Andrey N Sabelnikov, a resident of St Petersburg, Russia, of writing the code for and participating in the creation of the Kelihos malware. The complaint further alleges that Sabelnikov used the malware to control and nurture the Kelihos botnet.

Kelihos comprised about 41,000 infected computers worldwide and was capable of sending 3.8 billion spam emails per day before Microsoft put a stop to it last September, according to the company.

Antivirus security firm Bitdefender, has expressed concerns over what it claims is a new hybrid malware that was created by viruses infecting worms on poorly protected machines.

BitDefender has taken part in an analysis of 10 million infected files that saw it discovering some 40,000 "Frankenmalware" samples. With this representing around 0.4 per cent of checked malware, Bitdefender extrapolates it to mean that there are likely around 260,000 hybrid examples in the wild.

"If you get one of these hybrids on your system, you could be facing financial troubles, computer problems, identity theft, and a wave of spam thrown in as a random bonus," said Bitdefender threats analyst Loredana Botezatu, who launched the study of the hybrid species. "The advent of malware sandwiches throws a new twist into the world of malware. They spread more efficiently, and will become increasingly difficult to predict."

Bitdefender further described the malware threat as a growing one, with the amount of wild viruses, spyware and adware increasing by some 17 per cent throughout 2012.

Google to combine users' data across its services
Rewritten privacy policies allow Google to use data in a variety of services if a Google Accounts user is signed in

By Stephen Lawson
January 24, 2012 09:06 PM ET
IDG News Service - Google will be able to combine data from several Google services when a Google Accounts user is signed in, as part of a rewritten set of privacy policies that the company announced on Tuesday.

Google said it added the new capability so it can provide better and more targeted services. For example, by combining information from Google Calendar and Google Maps, the company could deliver reminders of a scheduled meeting that take into account how far the user is from the meeting location and how the traffic is on the way, said Alma Whitten, Google's director of privacy product and engineering, in a blog post on Tuesday.

The changes will take effect on March 1, and Google said it was starting to inform users about them via email and a homepage notice. They are included in a major update of Google's privacy policies that, among other things, will consolidate the policies for a majority of Google products into one policy. Taking more than 70 privacy documents, Google has combined more than 60 of them into that main policy, Whitten wrote. Google also said it has cut down on the Google Terms of Service and made them easier to read.

Symantec is urging users to patch pcAnywhere, its remote control application, following the discovery of a brace of serious security flaws.

The most severe of the two holes allows hackers to remotely inject code into vulnerable systems - made possible because a service on TCP port 5631 permits a fixed-length buffer overflow during the authentication process. This line of attack ought to be blocked by a properly configured firewall, but it'd be stupid to rely on that without patching vulnerable systems.

The other flaw relies on overwriting files installed by pcAnywhere in order to escalate a user's privileges, although miscreants will already need access to vulnerable system to leverage this.

Broadband news website thinkbroadband.com has published an article that details O2 passes the phone number of their customers to every website viewed, when that user on their network access the internet from a handset.

Thinkbroadband's post goes on to mention that O2 sends this information within the HTTP headers, which normally contains information about how content can be displayed on the device.

"These headers are not normally seen by users, and usually not logged by most websites, but the flaw allows malicious sites to get more personal information about you than you may be willing to share", added the website.

Symantec: Users Should Disable pcAnywhere to Prevent Attacks
There have been many rumors around the hacking operation that affected Symantec back in 2006, resulting in the theft of source code for some of their products. Now the company came forward with official “security recommendations,” advising customers to disable their pcAnywhere products until they release a patch.

Symantec confirms that products from the 2006-era are affected by the data breach that took place at the time, including Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks, which includes Norton Utilities and Norton GoBack, and pcAnywhere, a software that allows direct PC-to-PC communications.

A detailed analysis of the situation reveals that most customers aren’t exposed due to the age of the products.

Beta Channel Update
| 16:47
Labels: Beta updates
The Beta channel has been updated to 17.0.963.44 for all platforms other than Chrome OS. This update fixes a number of stability and UI issues. Full details about what changes are in this build are available in the SVN revision log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Mobile network operator O2 has apologised to its customers for a technical error that accidentally revealed users' mobile phone numbers to any web site they visited over 3G or WAP mobile internet connections.
Writing in a blog post the firm explained that whereas only "trusted partners" were meant to receive the phone numbers of customers that browsed certain sites, a change in its network inadvertently released this information to all web sites.

"Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for web site owners to see the mobile numbers of those browsing their site," it said.
"We would like to apologise for the concern we have caused."

Google: No opt-out of mix-and-match data
By Tom Espiner, ZDNet UK, 25 January, 2012 14:50
People will not be able to opt out of having their data shared across Google products and services under the company's newly updated privacy policy.
Those who object to their data being merged and used to target advertising have the choice not to use Google services, a company spokesman told ZDNet UK on Wednesday.

"If you continue to use Google services after 1 March, you'll be doing so under the new privacy policy and terms of service," he said. "We hope you keep using Google, but if you'd prefer to close your Google Account, you can follow the instructions in our help centre."

"We remain committed to data liberation, so if you want to take your information elsewhere you can," he added.

Google expects to see some negative reaction from users. "Our priority for this change is to give clear notice and choice to our users," the spokesman said. "We're also working hard to explain the benefits of this change to our users so they understand why they should continue using Google."

Last night my sister-in-law called me, just about in tears. "Something" had happened to her laptop--probably a virus, she guessed--but everything seemed to be gone: all her desktop and Start Menu icons, and, even scarier, all her data. It was like aliens had abducted her desktop.

Not aliens: hackers. Her system had indeed been infected by a virus, and it took me a few sweeps with Malwarebytes Anti-Malware (still the best recovery tool out there, IMHO) to get rid of it. (Here's a great malware-removal tutorial from PC World's Eric Geier.)

Just one problem: removing the virus hadn't restored all my sister-in-law's icons and data. The hard drive still showed nearly full, meaning nothing had actually been erased, but for all intents and purposes, the stuff was still MIA.

Fortunately, I found a utility that worked a seemingly major miracle: It brought everything back.

CCleaner 3.15 Improves Cache and Cookies Analysis Results It looks like Piriform is now working at full speed, since the new CCleaner 3.15 is the third product they updated this week.

The improvements of the current release relating to web browsers refer to cleaning history items in Firefox as well as analysis results for cookies and cache in both Mozilla’s web browser and Google Chrome.

Also improved is the Driver Wiper feedback in the case of successful operations as well as the thread synchronization algorithm, in order to avoid possible deadlocks. Furthermore, CCleaner 3.15 comes with better cleaning for Windows log files and Microsoft search.

Newly added in this build is the option to clean only Recycle Bin files deleted more than 24 hours ago and Chrome Canary Omnibox search shortcut cleaning. Cleaning has been updated for a set of applications that include Camtasia Studio 7.0 and Ashampoo Burning Studio 11.

The full list of changes is available on this page. You can download CCleaner from here.

Zscaler launches Zulu service to scan sites for security threats
by Shaun Nichols
Security firm Zscaler has launched Zulu, a free service that can scan sites for possible security threats.
The company said that the service would use a combination of proprietary and open-source tools to scan sites and provide security ratings based on a number of criteria.

The service supports direct URLs as well as addresses masked with URL shortening services.
Michael Sutton, Zscaler vice president of threat research, told V3 the aim of the Zulu service was to go beyond the reach of conventional URL-scanning tools.
Rather than analysing sites based solely on reputation, Zulu uses heuristics, reputation and host domain analysis to give pages a threat rating.
"We saw a lot of great tools out there, but they tended to be very niche," Sutton said.
"We wanted something that was looking at all types of web content."
The result, said Zscaler, is a service that can not only notify users when a site directly contains an attack, but also alert them when a site's host domain and servers have previously been associated with illegal or malicious activities.
While the service is being provided free of charge, Zscaler also views Zulu as a possible research opportunity.
In addition to exposing users to the brand name, the platform allows the company to collect additional data on domains and possibly spot attacks that would have otherwise gone unnoticed.
"We are giving away some great information so that anybody in the world has the ability to analyse content," Sutton explained
"The benefit we get back is that maybe somebody submits a malicious URL that we have not yet seen."

The security flaw can be exploited by tricking the victim into opening a specially crafted MIDI (Musical Instrument Digital Interface) file in Windows Media Player.

Microsoft released a security fix for it on Jan. 10, as part of its monthly patch cycle. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," the company said at the time.

The so-called drive-by-download attack identified by Trend Micro researchers uses a malicious HTML page to load the malformed MIDI file as an embedded object for the Windows Media Player browser plug-in.

If successful, the exploit downloads and executes a computer Trojan on the targeted system, which Trend Micro detects as TROJ_DLOAD.QYUA. "We're still conducting further analysis on TROJ_DLOAD.QYUA, but so far we've been seeing some serious payload, including rootkit capabilities," Dela Paz said.

It's not yet clear how victims are being tricked into visiting the malicious page, but the attack doesn't appear to target a particular organization or group of people, said David Sancho, a senior antivirus researcher at Trend Micro.

A researcher from the Vulnerability Laboratory came across a cross-site scripting (XSS) vulnerability in the Google Apps webpage, hosted on the google.com domain, but also in other popular websites.

Ucha Gobejishvili, also known as longrifle0x, found the flaw in Google Apps and reported it to Google.

Even though the risk level is estimated as low, if unresolved, the security hole present in one of the search modules could allow a remote attacker to hijack cookies and even steal accounts.

On the other hand, the attacker would have to social engineer the victim into performing certain tasks for the session hijacking to be successful.

The vulnerability had been reported on January 21 and the vendor responded on January 23, but at the time of writing the bug still exists on the Google page.

This is not the only vulnerability found by longrifle0x in the past days. The Forbes search page, Ferrari’s official online store, MTV, and the social network MySpace also contain the same type of vulnerability. Unfortunately, none of them is currently patched up and reports from XSSED reveal that the domains were already XSS’ed.

January 27th, 2012, 15:22 GMT · By Eduard Kovacs
Zscaler, the leading security solutions provider, released a great free tool that allows even more inexperienced users assess the risks that may hide behind an apparently harmless URL.

The project, called Zulu, its name being inspired by the ancient Zulu warriors represented by a citizens army, is a completely free service launched with the purpose of allowing users to experiment with new, more advanced, detection techniques.

The user interface was designed to be simple, but at the same to provide sufficient information for even the more security savvy customers.

All the user needs to do is input the URL he wants to scan and press a button. After that, the company’s advanced detection engines work to establish the overall ranking, Benign, Suspicious or Malicious.

For more advanced users, the application offers the possibility to set some advanced options, such as User Agent or Referrer, in case malware that is triggered only with certain input variables is encountered.

The results may be simple to read, but they also contain some details of elements that compose the overall score, for users who know what to look for.

Notes from a Mozilla meeting last week said that the upgrade was on for Jan. 31, the next ship date in the every-six-week schedule that the company adopted last year.

The new version includes one of the first components of Firefox's planned silent update mechanism: The browser automatically disables incompatible add-ons and marks all others as compatible.

Add-ons that work with Firefox 4 or later will be marked as compatible in Firefox 10, Mozilla said.
Complaints about incompatible add-ons have been common since Mozilla shifted to the faster release schedule, as add-on developers have been slow to revamp their code or at least mark their extensions as suitable for the newest browser.

Industry group pushes new spec to eliminate phishing
Facebook, Google, and PayPal are promoting the new DMARC protocol in hopes it will make users less likely to receive fraudulent emails

By Jeremy Kirk | IDG News Service

Companies such as Facebook, Google, and PayPal are pushing for widespread use of a new technical specification, DMARC, that could make it harder for phishers to reach their victims.

A common problem with email is that it is very easy to spoof the "from" address, making it difficult for an average user to know if an email is really from the domain it purports to be from. Technologies such as DKIM and SPF already allow domain owners to vouch for mail sent in their name, but don't specify what to do with messages that fail the test. DMARC builds on those systems, allowing domain owners to ask receiving mail servers to discard mail that fails authentication tests. That will make it less likely that scam messages impersonating sites such as PayPal will appear in your inbox.

There has been a lot of debate lately on how challenging it is to create a software that can automatically break CAPTCHA security codes, some researchers even issuing advisories regarding the creation of strong CAPTCHAs.

However, security experts found that a component of the ZeuS-like Cidrex Trojan was able to break the security tests to create email accounts.

Websense researchers came across a variant of Cidrex, a banking Trojan, that not only infects computers with the purpose of stealing sensitive data from their owners, but it also manages to create Yahoo! email accounts to spam others.

This certain version of the malware spreads via emails containing a shortened link which points to the Blackhole exploit kit. If the exploit is successful, the Trojan is downloaded to the infected machine.

Cidrex then looks for sensitive information that later allows cybercriminals to access social media and banking accounts, and sends all the acquired data back to a command and control server.

Up until now, most malicious emails that were designed to spread a virus or a Trojan required some user interaction, but new variants discovered by German security experts automatically infect a device when the email is opened in the email client.

Many security savvy users know that, as long as you don’t click on a link or open an attachment that comes with a suspicious looking email, you should be safe.

Unfortunately, this is about to change since researchers from eleven Research Team came across this improved variant which consists of HTML emails that contain a JavaScript designed to automatically download malware when the message is opened.

This malicious technique is similar to the one utilized in drive-by downloads in which compromised websites are altered to serve malevolent elements to users that visit them.

Beta Channel Update
Monday, January 30, 2012 | 13:46
Labels: Beta updates, Chrome OS
The Beta channel has been updated to 17.0.963.46 for all platforms including Chromebooks (Platform versions: 1412.150). This update fixes a number of stability and UI issues. For Chromebook users, it also includes a new version of Pepper Flash. Full details about what changes are in this version of Chrome are available in the SVN revision log. Interested in switching release channels? Find out how on Chrome / Chromebooks. If you find a new issue, please let us know by filing a Chrome or Chrome OS bug.

Cybersecurity report: All countries lag behind the bad guys
The new report from McAfee and SDA ranks Finland, Sweden and Israel as the countries most prepared for cyber-threats

By Grant Gross
January 30, 2012 04:24 PM ET
IDG News Service - The U.S. and U.K. are relatively well prepared for cyberattacks, compared to many other developed nations, but everyone has more work to do, according to a new cybersecurity study from McAfee and Security & Defence Agenda (SDA).

The report, which ranks 23 countries on cybersecurity readiness, gives no countries the highest mark, five stars. Israel, Sweden and Finland each get four and a half stars, while eight countries, including the U.S., U.K., France and Germany, receive four stars. India, Brazil and Mexico ranked near the bottom.

No country is ahead of cyberattackers, said Phyllis Schneck, CTO of the public sector for McAfee. The bad guys are "faster and swifter" than the good guys, she said.

Hackers are compromising WordPress 3.2.1 blogs in order to infect their visitors with the notorious TDSS rootkit, according to researchers from Web security firm Websense.

It's not clear how the websites are being compromised, but there are publicly known exploits for vulnerabilities that affect WordPress 3.2.1, which is an older version of the popular blog publishing platform.

Once they gain unauthorized access to a blog, the attackers inject malicious JavaScript code into its pages in order to load a Java exploit from a third-party server.

"From our analysis the number of infections is growing steadily (100+)," said Websense principal security researcher Stephan Chenette in a blog post on Monday. The company's research into this mass code injection campaign indicates that whoever is behind it is experienced.

SOFTWARE DEVELOPER Browsium has updated its web browser plug-in technology to help firms migrate from Microsoft Internet Explorer 6 (IE6), while still letting them access legacy applications written specifically for the outdated browser version.
The firm's first product, Unibrows required customers to deploy the IE6 engine, which caused some licensing issues, but the new product does away with that completely.
Browsium Ion, available immediately, introduces a new approach to compatibility. It eliminates the need to use the IE6 engine completely, and instead allows organisations to tailor configuration settings in IE8 and IE9 that will apply only to specific URLs that need remediation.